In response to a spate of cyber attacks targeting retailers nationwide, the Retail Industry Leaders Association (RILA) announced on Monday that it would help its members improve their cyber defenses by launching a new initiative to address cyber threats and promote further safeguards to protect payment data.
“The RILA Cybersecurity and Data Privacy Initiative seeks to bring public- and private-sector stakeholders together to enhance existing cybersecurity and privacy efforts, inform the public dialogue, and build and maintain consumer trust,” the association said in the announcement.
“Retailers place extremely high priority on data security and invest tremendous resources to prevent attacks, but cyber-criminals are persistent and their methods of attack are increasingly sophisticated. Enhanced security measures help to thwart attacks, but unfortunately some attacks have been successful and the resulting incidents have affected millions,” said Sandy Kennedy, President of the trade association that includes more than 200 retailers, product manufacturers, and service suppliers.
The initiative is organized around three major components.
1. Strengthening Overall Cybersecurity:
Formation of a Retail Cybersecurity Leaders Council – Retailers rebuff cyber threats nearly every day and the resulting lessons can strengthen protections across the entire industry. The Retail Cybersecurity Leaders Council, made up of senior retail executives responsible for cybersecurity, will aim to improve industry-wide cybersecurity capabilities by sharing threat information and discussing effective security solutions in a trusted forum.
Federal Data Breach Notification Legislation – RILA will engage with lawmakers to develop federal data security breach notification legislation that sets a national baseline.
Federal Cybersecurity Legislation – RILA will work with policymakers to help develop federal cybersecurity legislation focused on measures widely viewed as being effective to strengthen cybersecurity for our nation’s critical infrastructure, such as the financial system. At a minimum, this legislation should include support for appropriate information-sharing mechanisms between the private and public sectors.
2. Improving Payments Security:
Eliminate the Mag-Stripe: The existing magnetic stripe technology used on credit and debit cards issued in the United States is antiquated. RILA will urge that it be phased out in favor of the better technology widely used throughout the world.
Universal PIN Security and Chip-based Smart Card Technology – RILA will continue to press the card networks and the issuing banks to migrate to universal PIN security and chip-based smart card technology. In the event of a successful cybersecurity breach, the dynamic security features of such technology effectively prevent the use of stolen data.
System Wide Collaboration – Enhanced card security would be an important first step, but innovation is needed to outpace criminal threats. Therefore, we will seek to forge deeper partnerships with other members of the payments ecosystem to collaborate on migration to near-term card security enhancements, new technologies and long-term, comprehensive solutions to the threats.
3. Addressing Consumer Privacy:
The Retail Data Story – Consumers want and expect data about them to be protected and secure. They also want tailored services and shopping options yet may have questions about the data-related means required to provide them. RILA will work with partners to describe how data is used to provide the experience that consumers demand and share the great lengths that retailers go to protect the data they collect. Where useful, we will help promote data practices and policies that are consistent with RILA’s privacy principles.
The RILA says its members account for more than $1.5 trillion in annual sales, and more than 100,000 stores, manufacturing facilities and distribution centers around the world.
“There’s little chance that this threat will diminish, and more targeted attacks will make it difficult to track, analyze and protect against [reatailers],” said Steve Durbin, Global Vice President of the Information Security Forum, on the recent Neiman Marcus and Michael’s data breaches. “While this doesn’t mean that every retail transaction is at risk, it does require organizations to better protect such data, to plan for loss of such data, and to have solid resilience and recovery plans in place to deal with any attack and breach.”
More information on the RILA’s cyber security initiative is available here.
